Openclaw Action

This action performs the advertised scans, but it contradicts its own trust claims: instead of running only local, auditable code, action.yml downloads and executes scanner scripts from GitHub at runtime (raw URLs on the main branches). That creates a supply-chain risk because those remote files can change or be compromised. Before installing or using this Action, consider: - Prefer vendored or pinned scanner code: vendor the scanner scripts into the action repository or fetch scripts pinned to a specific commit SHA or release tag instead of raw 'main' URLs. - Review the exact remote files to be executed (the three raw.githubusercontent.com URLs) and verify the upstream maintainers and commit SHAs. If you cannot verify, do not allow the action to run with elevated access. - Treat this action as having the ability to execute arbitrary Python fetched at runtime: ensure it runs with least privilege in your CI, and avoid exposing secrets to runs triggered by untrusted forks or contributors. - If you need stronger assurance, replace the runtime curl step with code checked into your organization (or use a verified marketplace action), or require that the scanner code is included in the repo under review so behavior is fully auditable. If you accept the current design, at minimum ask the publisher to pin downloads to immutables (commit SHAs/releases) and update the README to remove the false 'No network calls' claim. If you cannot confirm the upstream repositories are trustworthy, treat the action as risky and avoid installing it.